Mastodon, an open-source decentralized social networking platform, has addressed four vulnerabilities, with one of them being critical that could allow threat actors to create arbitrary files on the server using specially crafted media files. The platform, which boasts about 8.8 million users across 13,000 separate servers hosted by volunteers, supports distinct yet interconnected communities.
These vulnerabilities were identified by independent auditors at Cure53, a firm offering penetration testing for digital services. The audit was conducted at the request of Mozilla. The most significant of these vulnerabilities, known as TootRoot (CVE-2023-36460), presents attackers with an easy method to compromise targeted servers. This issue lies in Mastodon's media processing code, which could allow media files on toots (equivalent to tweets) to cause a range of issues, from DoS to arbitrary remote code execution.
Security researcher Kevin Beaumont underscored the risks posed by TootRoot, stating that a toot could be used to embed backdoors on the servers delivering content to Mastodon users. Such a breach would grant attackers total control over the server and the data it manages, including users' sensitive information.
Another critical flaw is CVE-2023-36459, a cross-site scripting (XSS) vulnerability on oEmbed preview cards used in Mastodon. This flaw could be exploited to bypass HTML sanitization on the target browser, potentially leading to account hijacking, user impersonation, or access to sensitive data.
The remaining two vulnerabilities addressed by Mastodon are CVE-2023-36461, a high-severity DoS flaw through slow HTTP responses, and CVE-2023-36462, also rated with high-severity that allows an attacker to format a verified profile link in a deceptive manner, potentially facilitating phishing attacks.
These vulnerabilities affect all versions of Mastodon from 3.5.0 onward and were patched in versions 3.5.9, 4.0.5, and 4.1.3. The patches are server security updates and need to be applied by administrators to mitigate the risk for their communities.